Systems Engineering: A Job for SMS

Now that Windows 2000 is here, do you still need
SMS? That’s a question I hear many systems administrators
asking these days. Heck, as one whose job is primarily
involved with deploying Systems Management Server,
it’s a question I started asking myself as soon
as the first Win2K marketing salvos began launching
from Redmond. So to either allay my fears or to
get a head start on realigning my career priorities,
I started to investigate. The result of my research
reminds me of a high school English term paper
assignment: “All right, class, I want you to compare
and contrast the systems management features of
Win2K and SMS 2.0…”

On the surface, it would appear that Microsoft
stole the best features of SMS and built them
right into Win2K, but, as they say, the devil
is in the details. The desktop management features
of Win2K have often been referred to as “SMS Lite.”
I’d go so far as to call it, “SMS Ultra-Ultra
Lite,” but let’s take a closer look at Win2K’s
claim to fame in the area of systems management.

SMS
2.0 Service Pack 2 and Windows
2000

Service Pack 2 for SMS 2.0
is a must-have for any organization
with SMS 2.0 installed, even
on an all-Windows NT 4.0 network.
With Windows 2000 beginning
to appear on the desktop and
servers, SP2 becomes an absolute
necessity. (SMS 2.0 with Service
Pack 1 only officially provided
support for the Win2K Beta 3
release.) In addition to providing
a number of critical bug fixes
and performance enhancements,
plus NetWare 5 support, SP2
instills SMS 2.0 with nearly
complete Win2K compatibility.
Let’s look at what’s meant by
“nearly complete.”

Sites with Site Servers
residing on Domain Controllers
must be reinstalled if either
the domain is upgraded to
Active Directory or the domain
controller is upgraded to
Win2K.

Domain Controllers running
as Logon Points, CAPs, or
Distribution Points can be
upgraded to Win2K as long
as the Logon Points, CAPs,
or Distribution Points are
deleted before the upgrade
and then re-created after
the upgrade.

WINS is still required
even in a full Win2K environment.

If collapsing your domains
is part of your migration
to Active Directory, as with
NT 4.0, there’s no support
for moving SMS sites to different
domains without reinstalling.

No support for Active Directory
restricted groups.

Members of nested groups
or members of Universal groups
outside the AD domain where
the site resides won’t get
enumerated by SMS. AD Universal
groups are treated like NT
4.0 Global groups.

No support for clustering
a Site Server on Advanced
Server. • No support for Win2K
multi-language version.

SMS logon installation
can’t be used to install the
SMS client on servers supporting
Terminal Services; however,
you can use SMSman.exe or
the NT Remote Client Installation
method to install the SMS
client.

No software metering on
clients running Terminal Services.

Additional
Considerations

As with NT 4.0 domains,
the SMS Service account requires
Domain Administrator rights
in an Active Directory domain.

Upgrading to SP2 requires
certain hotfixes to be applied
to your site prior to installing
the service pack. Which hotfixes
to apply depends on which
level your SMS site is at
prior to the upgrade (RTM
code or SP1). Be sure to read
all the README files first!

As with SP1, SP2 is a “slipstream”
upgrade, which means the service
pack is applied to the installation
files, not to the installed
site server. This means you
have to copy the SMS CD to
a network share or some other
write-able location, apply
the service pack, then run
setup from those updated source
files. Check out the white
paper on deploying SMS service
packs at www.microsoft.com/smsmgmt/deployment/servicepacks.asp.

It may appear that The Nearly
list is longer than The Complete
list, but actually SP2 provides
about as much Win2K compatibility
as most enterprises will need
for some time to come. The next
version of SMS (rumored to be
code-named some other precious
stone, i.e. “Opal”) will no
doubt provide seamless integration
with whatever version of the
OS Microsoft has going at the
time, assuming Microsoft’s Operating
System division and its Applications
divisions are still part of
the same company!

—Mark Wingard

I Think I’m Being Followed!

Win2K can boast some great new management features
under the heading of IntelliMirror. With IntelliMirror
technology, administrators can apply policies
in the area of user data, desktop settings, and
software distribution. These policies follow users
as they log on to different computers on the network,
allowing them to consistently experience the same
desktop, data, and applications no matter when
or where they log on.

In the area of data management, through the use
of Group Policy, Offline Folders, and Synchronization
Manager, Win2K users can be heard muttering, “My
documents follow me!” For managing of desktop
settings, administrators can employ Group Policies
and Roaming User Profiles to centrally define
computing environment settings on the network,
leading users to nervously gasp, “My preferences
follow me!” And finally, the software installation
and maintenance aspects of IntelliMirror enable
software installation, repair, update, and removal
across the network, and can cause users to bolt
from their cubicles, screaming, “My applications
follow me!”

In addition to the ability to install software
applications, Win2K provides for enhanced remote
installation of Win2K itself via the Remote Installation
Service (RIS). As if that weren’t enough, administrators
have the ability to perform remote control of
isolated servers and user desktops through the
built-in Terminal Services. So admit it Microsoft,
SMS is dead!

Long Live SMS!

But wait… what’s that I hear Microsoft saying?
“Systems Management Server is the best change
and configuration management tool for Windows.”?!

While it’s true that Win2K has all these nice,
desktop management features, SMS has been around
the block once or twice itself and can perform
many of these same feats and then some. SMS will
concede the user data and desktop settings battle
to Win2K but is quick to assert, “Management is
my middle name!”

Software Distribution Advantages
with SMS 2.0

Win2K allows administrators to distribute software
in two ways, by publishing and assigning. Publishing
means that software installs are optional to users
and are accessible through a Control Panel. When
users are ready to install a published application,
they can do so via the Add/Remove Programs Control
Panel. SMS 2.0 offers a similar, optional software
installation feature through the Advertised Programs
Manager Control Panel; however, SMS has the option
of letting users know there’s a potential software
install waiting by providing an icon in the SysTray.
(Published software installations within Win2K
presumes users must be psychic to know an application
install is available!)

Assigning in Win2K means that software installs
are mandatory and will run the next time the user
logs on. SMS 2.0 also assigns mandatory software
installations, but with SMS they can be scheduled
to run at any time, night or day, whether or not
a user is even logged on. This can be a tremendous
advantage to administrators to have software installed
at night when users are away from their computers,
to both prevent user interference with the installation
and to eliminate user downtime while the install
is taking place.

SMS 2.0 also allows much greater flexibility
in targeting applications to users or computers.
Win2K uses an “all-or-nothing” approach to distribute
software to all users in a domain, a site, or
an organizational unit (OU). SMS 2.0 bases software
distribution on collections, which can include
a single user, multiple users, or computers, regardless
of their OU membership, so software distributions
can be targeted with extreme granularity. For
instance, a collection could be based on a query
of the SMS database to find all PCs running Windows
98, with at least 64M of RAM, 1G of free disk
space, and Internet Explorer 4.01 with Service
Pack 2 or higher installed. Such a query could
run against all computers in an SMS site, regardless
of their domain or OU membership, or it could
be based on NT or Win2K groups.

Collections are rules-based, which means their
membership can dynamically change if the group
membership the collection is based on changes
or the users’ computer configuration changes.
(Did I mention that in spite of a rich set of
objects that can be stored in Active Directory,
hardware and software inventory isn’t a feature
of Win2K?) SMS can also use OUs for targeting
software installations in an Active Directory
environment provided administrators use scripting
tools (found in the SMS Toolkit or via ADSI, Active
Directory Scripting Interface) to translate Active
Directory OUs to SMS 2.0 collections.

“Oh, yeah, well what about the ability in Win2K
to employ just-in-time (JIT) software distribution
and automatic rollback or repair of damaged applications?”
you might ask.

Those are features of Windows Installer, not
Win2K, buckaroo. While Windows Installer comes
installed as a part of Win2K, it also gets installed
as part of Office 2000 or can be downloaded as
part of the Microsoft Platform SDK and can run
on many versions of Windows. Therefore, SMS is
just as capable of deploying Windows Installer
repackaged applications as Win2K is, but with
greater flexibility.

SMS 2.0 goes further with the exclusive availability
of the SMS Installer to allow a wide range of
enhancements in repackaging application installs,
such as additional registry changes, control over
dialog boxes, software settings, and icon placement.
Microsoft will shortly be making available for
download a tool called the Installer Step-up Utility,
to convert existing SMS Installer executables
to Windows Installer files so SMS administrators
will have the best of both worlds. (See the TechNet
article, “Installer Step-up Utility for MS Systems
Management Server.”) Optionally you can purchase
Wise’s Installer for the Windows Installer, which
creates MSIs and obviates the need for a conversion
utility (www.wisesolutions.com/default.htm).

Software Distribution Reporting

SMS 2.0 has built-in status reporting for a number
of its features. Among these is Advertisement
status reporting, in other words, reporting on
the success or failure of software distributions,
assuming administrators have enabled a status
MIF for the advertisement. When you’re distributing
a new application to hundreds of users overnight,
it’s useful to know which computers ran the install—and
of those, how many completed it successfully.
Unfortunately, the only kind of software distribution
status reporting available to Win2K is when the
users call the help desk the next morning to report,
“Hey, that thing that ran when I logged on just
broke my computer!”

Operating System Installs

The RIS feature of Win2K allows remote installation
of Win2K Professional to fresh systems, meaning
virgin computers with a PXE-enabled network card
that have the capability to boot up and connect
to the network. [See “Assembly-line
Deployment” by John Gunson in the May 2000
issue.—Ed.] RIS, however, can’t be used to upgrade
previous versions of Windows to Win2K.

Conversely, SMS 2.0 can push out only OS upgrades.
There must be an existing version of Windows on
the target desktop. For PCs fresh out of the box,
RIS is definitely the way to go; however, if the
target PC is an SMS client, then administrators
can check its hardware and software inventory
to see if the potential candidate has what it
takes to run Win2K Pro in the first place.

Heterogeneous Environments

SMS 2.0 clients can include many flavors of Windows,
from Windows 3.1x, to Windows 9.x, NT 3.5 and
above, as well Win2K (as of SMS 2.0 SP2). SMS
is also designed to work on a Novell NetWare network.
Win2K’s desktop management features are only available
in an all-Win2K environment, and this will take
a long time to achieve in most enterprises.

Other Exclusive SMS Features

SMS 2.0 includes a host of other systems management
features not found in Win2K. Among these are:

WAN Support—SMS
2.0 can regulate communications and software
distributions over slow links in a variety of
ways, including the ability to choose the percentage
of bandwidth used to distribute packages between
SMS sites, the LAN protocol to use, and support
for RAS protocols, as well as schedule packages
to run as updates across the LAN or WAN. The
Courier Sender feature enables software distribution
via CD-ROM or other media to really remote sites
when network connectivity is extremely slow,
unreliable, or nonexistent. (How about software
installs to ships at sea or oil rigs in the
North Atlantic?)

Asset Management—As
I mentioned earlier, software and hardware inventory
can often be the cornerstone of proactive software
distribution. These inventories allow administrators
to determine whether a given desktop machine
meets the prerequisites for software upgrades.
Manual hardware and software inventorying can
be incredibly time-consuming, but SMS 2.0 performs
this valuable service in the background and
makes the information available to an administrator
almost without that person having to lift a
finger.

Software Metering—While
unfortunately underpowered, software metering
by SMS is still a great tool for recording what
software is in use on the network and enforcing
licensing restrictions if necessary.

Server Health Monitoring—SMS
2.0’s HealthMon is a variation on Performance
Monitor that can provide critical performance
information on processes such as Processor,
Memory, Server Work Queues, and the like on
Windows NT and 2000 Server and various Microsoft
BackOffice products such as SQL Server, Exchange
Server, and Internet Information Server.

Network Topology Tracing
Tool—This feature provides a graphical
display of the network routes between servers
within an SMS site, including the activity and
status of infrastructure devices such as routers
and hubs. Network Tracing allows for quick analysis
of the potential success or failure of an action
such as software distribution to a remote location.

The full version of
Network Monitor—While Win2K Server includes
Network Monitor, it will only monitor traffic
on the segment where the Win2K Server resides.
It also only includes drivers to monitor other
Win2K systems. To use Network Monitor to view
traffic on your entire network, as well as to
monitor both Win2K and other versions of Windows,
you’ll need the version that comes with SMS
2.0. (Note: SMS 2.0 SP2 will be required for
full Win2K client functionality.)

Integration with other
network management tools—SMS can do a
lot but certainly not everything required to
keep on top of your network. Fortunately, the
systems management capabilities of SMS 2.0 are
compatible to other network management tools
such as CA Unicenter TNG, Hewlett Packard OpenView
ManageX, NetIQ AppManager Suite, Network Associates
Magic Total Service Desk, and Tivoli enterprise
management solutions.

Remote troubleshooting—Win2K
Server sports Terminal Services, which can allow
remote control of other Windows computers once
the client is installed and the server side
is enabled. SMS 2.0 offers the same capability
on its clients and provides administrators the
ability to perform various other remote diagnostics
and troubleshooting. Note:
The remote control feature of Terminal Services
is definitely peppier than its SMS counterpart;
however, Terminal Services lacks flexibility
on the security configurations available to
administrators. And speaking of security, the
remote control feature of SMS offers much stronger
encryption of sessions than the ICA protocol
the original Citrix MetaFrame client used (what
Terminal Server was originally based on). Let’s
hope that the Remote Desktop Protocol (RDP)
employed by Win2K Terminal Services is more
secure.

Let’s be realistic. Do you really think Microsoft
would abandon an on-going revenue stream if it
didn’t have to? The folks in Redmond have been
careful to position the desktop management features
of Win2K in such a way as to not cut into the
market SMS enjoys. Systems Management Server is
a complex and powerful tool, well suited to the
large, complex, mixed-Windows organization. In
many ways, the desktop management features of
Win2K have been designed to provide SMS-like capabilities
for environments in which SMS might be overkill.

Officially, Microsoft says SMS “extends the systems
management features of Windows 2000,” but—between
you and me—the Win2K desktop management features
are for organizations unprepared to invest the
resources required for a real desktop management
tool like SMS. And to be practical, those resources
aren’t insignificant. In addition to the cost
of licensing fees, a serious investment in both
training and retaining staff to be qualified SMS
administrators is required for organizations that
are committed to managing their desktops. It’s
not that the desktop management features of Win2K
are trivial or ineffective; it’s more like, “Yes,
you can replace that leaky faucet on your own
(Win2K) if you want, but for those major plumbing
problems under the house, call a professional
plumber (SMS) for heaven’s sake!”

For an introduction to
Windows Management Services,
including management roles
and disciplines, as well as
the architecture for management
solutions that will be available
either as part of the OS or
as an add-on, go to www.microsoft.com/windows/server/
Technical/management/default.asp.
You’ll also find an overview
of Change and Configuration
Management and an introduction
to how Microsoft products
such as IntelliMirror technologies
in Win2K, Remote OS Install,
and SMS address this management
discipline. Likewise, you
can read an overview of the
features of IntelliMirror
technologies in Win2K and
scenarios for how organizations
can benefit from IntelliMirror.

Microsoft also recognizes that, for a number
of reasons (including one that might be spelled
“D-O-J”), it may take a few years yet before Win2K
has completely taken over the desktops of the
corporate world. Until that time comes, there’s
no real rival to SMS for the systems management
features it supports. By the time Win2K does become
ubiquitous on the desktop, SMS will have evolved
to fully leverage Win2K and Active Directory.
So don’t start chucking those SMS skills quite
yet. And if you’re one of the few, the proud,
the brave to have successfully passed the SMS
2.0 exam, just think: It’s one elective you won’t
have to retest on to keep your MCSE current with
Win2K!